User-ID with Azure AD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID with Azure AD

L3 Networker

We currently use User-ID with an on-premise Active Directory server. We are planning on moving to Azure AD (not to be confused with AD services in Azure).  Are there any plan on getting User-ID to work with AzureAD (web Auth)? What other options can I use to continue to use User-ID if we do not have Active Directory on premise?  Thanks. 

 

8 REPLIES 8

Cyber Elite
Cyber Elite

There are several options:

-captive portal with ntlm,

-forwarding authentication logs to an on-prem UserID agent running as syslog collector,

-API

-GlobalProtect (inside the network it will not set up vpn but will simply function as a userID client)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

If we were to pull all of our domain controllers from on-premise, wouldnt that kill the first two options?  GlobalProtect might be the only option but frown on as it is something that we will have to install.  What APIs are you referring to? 

@jharlow When @reaper talks about NTLM auth via CP he's referring to the firewall utilizing the NTLM protocol to to query a user's web browser for the credentials.  When the browser provides credentials back those credentials are then checked against which ever directory you specify and then retained in cache also based on your specified duration.

 

If that "behind the screens" negotiation isn't successful users will get a browser pop-up asking the user for creds.

 

One thing to keep in mind you'll need to ensure the firewall's IP is in IE's local Intranet configuration so IE will pass creds to the FW via the automated NTLM process.

 

NTLM would simply ensure transparent authentication for the users if available/possible (pretty exclusive to windows) but in the backend 'normal' authentication methods can be used for which the AD does not to be on-prem

Syslogs can be sent out of the AD for succesfull authentication events and an on-prem User-ID agent can capture these and create user-IP mappings 

 

XML API would require a lot of scripting, but it's doable : Send User Mappings to User-ID Using the XML API

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I see the option under User-ID for NTLM (currently unchecked). Simply checking this is all that is needed?  You mentioned it grabs the credentials from the browser, but if the user's machine is no longer on a local premise AD (simply connected via AzureAD through Windows 10), will there be credentials to grab?  Let's assume the individual is prompted, however often will this take place (session cookie, restart of browser, PC restart, etc.)  And lastly, since yes, NTLM is a Windows thing, how will Mac's and iOS devices handle this process? Will they simply get prompted to login and if so, the same last question applies (length of time).  

 

I sent a request to support about AzureAD. This really needs to be added as there are more of us looking to move to Azure and less on-premise. Maybe PA version 11. 🙂 

 

you'll also need to create a captive portal (aythentication) policy that is set to 'browser challenge'

 

it sends the browser a challenge, the browser will provide these (logged in user creds) if it trusts the firewall (needs to trust the certificate or via a pac file)

 

the browser or user is prompted when the configurable timeout occurs, so if ntlm works nicely you could have the browser re-queried every hour, if you need to resort to a webform, you could set the timeout to 4 hours or more, as not to bug users too much

you can have captive portal give the user a cookie, in case their IP changes that cookie can be presented instead of needing to authenticate

 

I wrote a bunch of stuff in this article: Getting Started: User-ID which you may find helpful

let me know if there's anything missing 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I will re-itterate a Windows OS will not pass NTLM credentials to the firewall without modifiation to the client.

 

 

https://support.microsoft.com/en-us/kb/943280

 

"WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a website is in a zone that allows credentials to be sent automatically. 

 

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.
 
Note If the URL contains no period in the servers name, such as in the following example, the server is assumed to be on a local intranet site:
 
http://sharepoint/davshare

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

Note A server can be indicated for proxy bypass through either the bypass list or the proxy configuration script.

In this situation, you are either denied access or prompted to enter your credentials when the website asks for credentials. Even when this occurs, the security zone settings are ignored."
 
 
The NTLM challenges will be coming from the firewall.  An IP address.  This is going to be assumed to be an "Internet" based NTLM challenge request and as such the Windows client will not pass creds to the IP which is coming from the firewall.  
 
The Windows KB indicates the proper registry setting to modify to bypass this security setting.

Looks like the KB points out a Win7 registry setting.

 

 

Win10 is in this directory:

 

browse to...
Computer
Admin Templates
windows components
internet explorer
Internet control panel
security page
on the right - open
Site to Zone Assignment List
Enable it and click SHOW
enter the IP address as the Value Name
the Value should be 1 for Intranet zone

  • 6732 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!